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Summary 


Big Data has the potential to transform the ways that analysts understand the world in 
which we live. Social media data, a subset of big data, could provide a new method of 
examining society that was hitherto available through snapshot methods such as census 
data or surveys. 


One of the defining features of modern society is the move to mass uptake of social media, 
the creation, sharing and exchange of information, ideas and pictures within virtual 
communities and networks. Millions of individuals from across the globe have signed up to 
social media platforms, such as Facebook, Twitter and LinkedIn, and this phenomena has 
led to vast collections of personal data. As the tools to analyse and organise vast quantities 
of digital data have been developed, both commercial and governmental organisations 
have considered how that social media data might be put to use. 


We have found the UK well-placed to take advantage of social media data, and its analysis, 
for the benefits of better governance and commercial opportunities. There are, however, 
persistent problems in ensuring that the education system is generating people with the 
right skill sets to feed this growing industry and that government organisations have the 
necessary insights to ensure it is used to its fullest extent for the benefit of UK citizens. 


One key aspect of the use of social media data is the tension that exists between the 
generation of data by individuals and the use of that data by organisations. We have not 
been convinced that the users of social media platforms are fully aware of how their data 
might be used and what redress they may, or may not have if they disagree with how an 
organisation exploits that data. This is exacerbated by our finding that terms and 
conditions contracts are simply too long and complex for any reasonable person to make 
any real sense of. Reading such documents has been likened to engaging with 
“Shakespeare”. Drafted by lawyers, to be used in American court rooms, the contents of 
terms and conditions have been designed to protect organisations in the event of legal 
action. As a mechanism for showing that users have provided informed consent, so that 
organisations can process incredibly persona data, terms and conditions contracts are 
simply not fit for purpose. 


We were pleased to find a willingness among those in the industry to develop good practice 
and to seek ways in which the users of services might better understand how their data may 
be used, how to actively protect their privacy and how to judge the ethical standards of 
service providers. We are keen to see the Government become more actively involved in 
developing global standards and possibly kitemark that would mark out service providers 
that meet those global standards in the care and handling of personal data. 


We are worried that current legislation is no longer sufficient now that data moves more 
easily across digital platforms and that technologies can be used to analyse multiple sets of 
such data in real time. Whilst legislators have reflected on how regulation should be 
updated, governing bodies are floundering when it comes to the details of legislation. The 
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draft EU General Data Protection Regulation (2012) has attracted criticism from industry, 
and progress on agreeing a final commitment has not been forthcoming. Furthermore, 
national governments can find it difficult to regulate industries who provide services that 
can be delivered from anywhere in the world. 


Personal data should not be undervalued and the Government has a clear responsibility to 
explain to the public how personal data is being used to make improvements to products 
and facilities. The Government needs to lead the conversation around security of personal 
data, so that in future years, members of the public can engage with online services with the 
confidence that their personal data is secure. 
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1. Introduction 


Social media data 


1. Modern society is generating an “ever-increasing” volume of data and there is a lot of 
speculation on how the data generated by social media platforms might be utilised by both 
private and public organisations.' techUK°’ defined social media data as “information 
relating to user-generated content on the internet”’ and, as it produces data sets too large 
for traditional data processing, belongs to what is generally categorised as big data.’ 


2. The Government outlined some statistics drawn from Digital Insights about public 
engagement with social media platforms in 2013: every day 400 million tweets are posted 
to Twitter, 350 million photos are added to Facebook and over a billion videos are viewed 
on YouTube.° The Internet Association wrote that “analysis of large datasets can lead to the 
discovery of new opportunities, unanticipated insights, and unexpected services that bring 
value to society, businesses, and governments’® and the Government considered that social 
media data may have the “potential to transform public and private sector organisations” 
whilst driving “research and development”.’ 


3. The Information Commissioner’s Office’s (ICO) report, Big Data and Data Protection, 
published in July 2014, described big data as an area that was “fast-evolving”.’ The 
infrastructure required to support this growing field is clearly an important aspect for 
future Government activity and one that the Government is addressing through 
partnership with the Economic and Social Research Council (ESRC) Administrative Data 
Research Network’ and investments in a number of projects including: 


i) “£42 million announced this year to establish the “Alan Turing Institute for Data 
Science’ which will research new ways of collecting, storing and analysing huge 
data sets. 


! SMD 002 [Paras 7-8]. 

2 techUK is a trade organisation representing companies from the information technology, telecommunications and 
electronics sectors. 

3 SMD 023 [Paras 1.3 & 1.6]. 

4 The Gartner IT Glossary describes big data as “high-volume, high-velocity and high-variety information assets that 
demand cost-effective, innovative forms of information processing for enhanced insight and decision making”. 
Gartner IT glossary, Big data, garner.com/ITglossary. Accessed 24 October 2014. 

: SMD 020 [para 3]; see also: Social Media Today, ‘Social Media in 2013: By the Numbers’, socialmediatoday.com and 
Digital Insights, ‘Social Media facts, figures and statistics 2013’, blog.digitalinsights.in. Both accessed 24 October 
2014. 

6 The Internet Association, Request for Comments Concerning Big Data and the Consumer Privacy Bill of Rights 
(Docket No. 140514424-4424-01), published 5 August 2014, page 11. 

SMD 020 [para 2]. 

a Information Commissioner's Office, Big data and data protection, July 2014, paragraph 4, page 2. Available at 
ico.org.uk. Accessed 24 October 2014. 

9 The stated core aim of the ADRN is to “facilitate access to and linkage of de-identified administrative data routinely 
collected by government departments and other public sector organisations”. See Economic and Social Research 
Council, ‘ESRC Big Data Network - Phase 1’, esrc.ac.uk. Accessed 24 October 2014. 
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ii) £189 million announced in the 2012 Autumn Statement to support big data and 
energy-efficient computing projects such as the National Biomedical Informatics 
Institute and a UK network of Administrative Data Research Centres. 


iii) Setting up the Connected Digital Economy Catapult (CDEC), which will receive 
over £50 million investment from the Technology Strategy Board. CDEC will play 
a leading role in developing new tools, platforms and assets to enable innovative 
UK companies to take advantage of the commercial opportunities provided by the 
growth in data.”!” 


4. As the information delivered through social media platforms develops rapidly in terms 
of the volume of data and number of users, there is a tension between obtaining data for 
commercial/administrative use and the ethical dimensions of using social media data that 
resonates, as Professor Liesbet van Zoonen, Principle Investigator of the IMPRINTS 
project'', pointed out, with the disturbing themes raised in the novel Nineteen Eighty Four 
by George Orwell.” Orwell painted a world in which the privacy of individuals had been 
severely eroded and where personal information was used by the state to control citizens. 
Whilst the concerns raised in this inquiry did not reach the same epic proportions, there 
were serious misgivings raised in relation to obtaining informed consent for the use of 
citizens’ data. 


Data protection legislation 


5. The law concerning the rights of individuals in relation to their data was outlined in the 
EU Data Protection Directive (95/46/EC) and transposed into UK law through the Data 
Protection Act 1998.'° The growth of the use of big data, and services such as social media 
platforms, has coincided with the original EU legislation being revisited. The EU 
Commission published a draft General Data Protection Regulation, in January 2012, to 
update data protection legislation.'* The Regulation would, as drafted, expand on the rules 
governing consent and privacy issues such as the ‘right to be forgotten’ and mandating the 
collection of explicit consent for data usage. For example, the conditions for consent 
outlined in Article 7 are drafted as follows: 


1. The controller shall bear the burden of proof for the data subject's consent 
to the processing of their personal data for specified purposes. 


10 SMD 020 [para 15] 

1 IMPRINTS (identity Management - Public Responses to identity Technologies and Services} was a “was a comparative 
and multidisciplinary research project, asking about the influences on UK and US publics to engage and/or 
diserigage with identity management practices, services and technologies of the future”. Its final project report was 
published in September 2014. See imprintsfutures.org. Accessed 24 October 2014. 

12 SMD 003 {para 3.2.2]; George Orwell, Nineteen Eighty Four, Published July 1950, Signet Classics 


3 Directive 95/46/EC, On the protection of individuals with regard to the processing of personal data and on the free 
movement of such data, 24 October 1995; Data Protection Act, 1998. 
‘4 European Commission, Proposal for a regulation of the European Parliament and of the Council on the protection 


of individuals with regard to the processing of personal data and on the free movement of such data (General Data 
Protection Regulation), 25 January 2012 
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2. If the data subject's consent is to be given in the context of a written 
declaration which also concerns another matter, the requirement to give 
consent must be presented distinguishable in its appearance from this other 
matter. 


3. The data subject shall have the right to withdraw his or her consent at any 
time. The withdrawal of consent shall not affect the lawfulness of processing 
based on consent before its withdrawal. 


4. Consent shall not provide a legal basis for the processing, where there is a 
significant imbalance between the position of the data subject and the 
controller."° 


Our inquiry 


6. Although social media data is a potentially valuable source of information for both 
economic and governance purposes, the opportunities that exist are accompanied by a 
series of ethical challenges surrounding the issues of privacy and informed consent. These 
ethical challenges are international in nature. We wanted to ensure that the UK 
Government was considering how social media data could be used both effectively and 
responsibly and sought written evidence on the following terms of reference 


i) How can real-time analysis of social media data benefit the UK? What should the 
Government be doing to maximise these benefits? 


ii) How does the UK compare to other EU countries in funding for real-time big data 
research? 


iii) What are the barriers to implementing real time data analysis? Is the new 
Government data-capability strategy sufficient to overcome these barriers? 


iv) What are the ethical concerns of using personal data and how is this data 
anonymised for research? 


v) What impact is the upcoming EU Data Protection Legislation likely to have on 
access to social media data for research? 


vi) Is UK legislation surrounding the collection and use of data fit for purpose? 


7. We received 32 written submissions and held three evidence sessions, focusing on the 
benefits of social media data, the barriers to effective use of social media, questions 
surrounding informed consent and privacy, culminating in a final evidence session with 
Ed Vaizey MP, Parliamentary Under Secretary of State for Culture, Communications and 


'S European Commission, Proposal for a regulation of the European Parliament and of the Council on the protection 
of individuals with regard to the processing of personal data and on the free movement of such data (General Data 
Protection Regulation), Article 7, 25 January 2012 
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Creative Industries, Department for Culture, Media and Sport. We would like to thank all 
contributors for their involvement in this inquiry. 
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2 The potential benefits of social media 
data 


8. Our first consideration was to establish if social media data had the potential to provide 
benefits for the UK in terms of both economic growth and more effective governance. 


Economic benefits 


9. Sir Nigel Shadbolt, Professor of Artificial Intelligence at the Web Science Trust, told us 
that the data science sector was “set to grow, by some accounts, by around 100% in three to 
four years’ time”.'® His view of data, in an article he had written for The Times, as “the new 
raw material of the 21“ century” was echoed by the Minister, who noted that big data was 
being called the “oil of the 21 Century”.”” 


10. techUK identified social media data, as a particular subset of big data, as a huge area of 
growth with studies indicating “that, with over 1.5 billion social media users and 80% of 
online users interacting with social media regularly, there is a $1.3 trillion global 
opportunity to be unlocked through the social media revolution”.'* The Minister told us 
that the Government viewed social media data as an important part of big data as an 
overall resource.” 


11. Carl Miller, of the think tank Demos, noted that, currently, “a few fields are completely 
redrawing their business models” on the basis of social media data becoming available for 
use and we heard examples of ways in which UK businesses could benefit from social 
media data.*? The UK was already taking a “leading” role in “scientific information and 
research evaluation”, an established sector that Timo Hannay, Digital Science, thought 
would be “revolutionised” by the use of “online data”, including (but not limited to) social 
media data.*' techUK told us that improvements could be made to products in light of 
knowledge about consumers gained from social media data: 


[social media analysis] provides businesses with the ability to undertake well- 
targeted branding and marketing campaigns, carry out brand logo 
monitoring, better understand public sentiment and intent, strengthen their 
customer engagement and enrich their existing Customer Relationship 
Management provisions.” 


© Q85 [Sir Nigel Shadbolt] 
‘7 Tim Berners-Lee and Nigel Shadbolt, ‘There's gold to be mined from all our data’, The Times, 31 December 2011; 
Q199 [Ed Vaizey MP]. See also SMD 015 [para 2] 


18 SMD 023 [para 1.8] 
"9 Q198 [Ed Vaizey MP] 
20° Q7 [Carl Miller] 

21 Q7 [Timo Hannay] 

22 SMD 023 [para 1.9] 
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The Government remarked that data could “enable market-changing products and 
services”.”> There may also be benefits for consumers themselves. The Consumer Data 
Research Centre at the University of Leeds noted that “better and more effective consumer 
outcomes could be obtained by optimising consumer choices in light of individual 
lifestyles”.* It went on to add that “opinions—positive and negative—of [customer] 
experiences can guide service providers and contribute to UK brand positioning 
internationally”.» 

12. Witnesses were optimistic about the ability of the UK, to a greater extent than many 
other countries, to develop social media data into an economically important resource. 
Mr Miller said that the UK was considered a “leader” in Europe due to a “strong higher 
education sector and lively tech innovation hubs”.*® His thoughts were supported by the 
Minister, who stated that the UK stood in “good comparison with other European 
countries” while recognising that other countries such as the US, Japan and India held 
strengths.’” Research Councils UK was also of the opinion that the UK was in “a position to 
become a world-leader in this area”, although it added that current training and capacity 


» 28 


building provisions were “insufficient to meet the growing demand”. 


Administrative benefits 


13. According to Mr Miller, social media data, when placed in the hands of civil servants, 
has the potential to provide a contribution to “evidence based policy making”.”” Other 
witnesses highlighted its ability to supplement information gathered about the UK 
population from other means, such as the census or surveys; Emma Carr, Big Brother 
Watch, told us that the Office for National Statistics was “looking at Twitter to see what it 
can ascertain from that that it could not necessarily ascertain from the census”.*’ In other 
countries, social media has been able to provide key information that would be useful for 
governance purposes: for example, according to one witness, in Australia, Twitter users 
began to use the hashtag #mythbusters to identify whether flooding incidents were true or 
not.*! 


14. However, Dr Ella McPherson, University of Cambridge, was clear that social media 
could probably only ever be used in “addition to, not as a replacement for, other methods 
of inquiry”. Dr Mathieu d’Aquin, Open University, gave us an example of how Twitter 


23. SMD 020 [para 2] 

24 SMD 004 [para 2] 

25 SMD 004 [para 9] 

26 Q9 [Carl Miller] 

27 Q200 [Ed Vaizey MP] 

28 SMD 022 [para 2] 

29° Q10 [Carl Miller] 

30 Q51 [Professor Yates]; Q33 [Dr McPherson]; Q152 [Emma Carr] 


31 Q39 [Professor Preston] According to Professor Preston, “’Mythbusters’ is a television programme about busting 
myths, conspiracies and so on, and people were using the hashtag to say what was real and what was not. That 
became a trending hashtag, with people using it to ask whether the flood was really happening in an area.” 


32, Q33 [Dr McPherson] 
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could be used to establish that events were taking place, which could be validated by CCTV 
footage.*? Professor Mick Yates, Consumer Data Research Centre, University of Leeds, 
explained that the data collected by the census provided “a broad look at everything, in a 
structured and detailed way” and could not be replaced by social media data as, unlike the 
census, people on social media platforms choose what to share, if they participate at all.*4 
As we concluded about administrative data in an earlier report, The Census and Social 
Science, social media data could only serve a supporting role for more traditional data types 
rather than being the sole source of social information.** 


33 Q152 [Dr d’Aquin] 
34 Qq51;36 [Professor Yates] 
35 Science and Technology Committee, Third Report of Session 2012-13, The Census and Social Science, HC 322, para 59 
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3 Barriers to using social media data 
effectively 


Data science skills in the UK 


15. The benefits of using social media data will require the correct infrastructure to be in 
place, including the necessary hardware, good software and the right people. This section 
focuses on the availability of the necessary skills rather than the development of the 
hardware and software infrastructure, as evidence to the inquiry on infrastructure was 
generally positive and Government initiatives surrounding big data were described as 
good. There are, however, issues regarding the use of social media data in improving 
governance than for seeking economic benefits. 


Data Science use in governance 


16. We have received evidence that government organisations’ use of social media data was 
inconsistent across the UK. With regard to their ability to utilise social media data during 
emergency events, Professor John Preston, University of East London, contrasted the 
differences between the local governments for London, Birmingham and Carlisle: 


each had different strategies in their use and interpretation of social media. 
Birmingham was very much ahead of the curve in using Twitter, Facebook 
and YouTube; London, being the seat of Government, was quite top-down; 
and Carlisle said that they did not want to use social media that much—it 
was very much face-to-face contact and radio communications that they 
wanted to use.*° 


He reflected that the success in using social media within Government organisations 
ultimately depended upon the interest levels of officials.*” 


17. Sir Nigel Shadbolt, Web Science Trust, considered that, if social media data was to be 
used effectively within government, at both local and national levels, there was a need to 
investigate whether civil servants had the right “mix of skills”.** We were told that there 
was a general shortage of people in the UK with the right mix of data science skills and 
techUK reported a risk that this shortage may be felt more acutely by public sector 
organisations, as “those with the required skills prefer to take roles within start-ups rather 
than in government or established business where skills are currently needed”. techUK 


36 = Q37 [Professor Preston] 
37, ——« Q37 [Professor Preston] 
38 Q116 [Sir Nigel Shadbolt] 
39 SMD 023 [para 3.3] 
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thought that the “Government should have a programme of re-skilling to optimise 
opportunities” .*° 


Data science skills outside Government 


18. Sir Nigel informed us that there were many job opportunities for data scientists in the 
UK, “there was a survey just this year by Eurojobs.com that looked at the 6,000-odd jobs 
that mentioned the words “data” or “data science” in their title. Half of those—over 50%— 
came from Britain”. He said that the “nearest EU competitor was Germany”, which only 
hosted a 9% proportion of advertised jobs.*! 


19. Despite the abundant employment opportunities, there appears to be a distinct 
shortage of people with the right combination of skills to fill the job vacancies in data 
science in the UK. techUK considered there to be “a skills and educational gap which is 
creating [a] lack of data specialists in the UK” while Digital Science pinpointed “the most 
pressing deficit” to be “insight combined with technical talent”.** Sureyya Cansoy, techUK, 
told us that e-skills UK, the sector skills council for information technology,” “expect big 
data job vacancies to grow by 23% annually by 2017” and that “techUK and e-skills predict 
that we will need another half a million [people skilled in data science] by 2020”. She also 
told us that currently “57% of recruiters dealing with big data vacancies say that it is 
difficult to find people for the jobs they are looking to hire for”.*” Timo Hannay, Digital 
Science, picked out a company, Altmetric, as an example which “currently has eleven staff 
but seven vacancies, of which five are technical—essentially developer and data analytics 
type roles”.*° He stated that the numbers give “some indication of the difficulty” that UK 
companies are having in getting the “high calibre of person” needed to fill such vacancies.” 


20. Witnesses recognised that the Government had begun to take action on skills shortages 
in data science, producing Seizing the data opportunity: A strategy for UK data capability, a 
joint venture between the Government, the Information Economy Council, industry and 
academic institutions.** The Strategy identifies what proficiencies are needed by industry, 


40 SMD 023 [para 3.3] 

41 Q85 [Sir Nigel Shadbolt] 

42 SMD 023 [para 3.3]; SMD 010 [para 13] 

4 e-skills UK works “on behalf of employers to develop the software, internet, computer gaming, IT services and 
business change expertise necessary to thrive in today’s global digital economy”. See ‘About e-skills UK’, e-skills.com. 
Accessed 24 October 2014. 

44 Qq28-29 [Sureyya Cansoy] 

4 — Q29 [Surreya Cansoy] 

46 Q30 [Timo Hannay]. Altmetric is a London-based start-up company which aims to “track and analyse the online 
activity around scholarly literature”. See ‘About us’, altmetric.com. Accessed 24 October 2014. 

47 Q30 [Timo Hannay] 

48 Department for Business, Innovation and Skills, Seizing the Data Opportunity: A Strategy for UK Data Capability, 
BIS/13/1250, October 2013. Note: the Information Economy Council is a body intended to “provide a vehicle for 
government and industry to work in partnership to develop and deliver a long-term strategy to support the growth 
of the Information Economy in the UK”. It consists of representatives from government, business and academia and 
is co-chaired by the Minister for Culture and Digital Industries, Ed Vaizey MP, and Victor Chavez, President of 
techUK. See techUK, ‘Leadership for information economy council’, techuk.org. Accessed 24 October 2014. See also 
Q29 [Sureyya Cansoy]. 
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where the gaps are, where action is needed and what needs to happen in schools, higher 
education and apprenticeships in terms of promoting the reputation of the industry.” The 
ESRC considered the Strategy an excellent starting point, but that strong leadership would 
be required to overcome barriers such as the development of data science expertise, 
pointing out that the rate at which the demand was growing “is not matched by increased 
investment in more comprehensive training and skills programmes”. We have noted that 
the Government is pursuing a number of plans to promote data science skills within the 
curriculum, including projects carried out in conjunction with e-skills. We are aware of 
projects such as the e-skills’ BigAmbition website, aimed at 14-19 year olds,*' or the CC4G 
(Computer Clubs for Girls) project,” both of which are set to have a positive impact on the 
future UK workforce. This Committee, in its report Educating tomorrow’s engineers’, has 
raised concerns about the Government's approach to developing engineering skills and to 
encouraging more students to embark on a technical career. The initiatives mentioned 
above demonstrate the type of input that can, and should, be encouraged. 


21. We have seen repeatedly that the UK is not producing the technically proficient 
people required to support modern businesses. In our report, Educating Tomorrow’s 
Engineers, we concluded that, despite the Government's recognition of the importance 
of engineering skills, there is a persistent gap in the numbers of engineers required to 
achieve economic growth. Data science is yet another skills area that urgently needs to 
be addressed if the UK is to be able to build an economy that can compete on the global 
stage. It is essential that the Government ensures that data science skills are promoted 
in educational institutions and within organisations that are able to provide data skills 
development. 


22. We repeat our recommendation, from our report, Educating Tomorrow’s Engineers, 
that learned societies, professional institutions and trade bodies put an obligation on 
their members to systematically engage in promoting data science skills through a 
structured programme of educational engagement. We request that the Government 
detail to us, in its response to this report, how it intends to ensure that organisations take 
part in a national effort to promote data science skills within the current and future UK 
workforce. 


Framing the debate 


23. Professor Liesbet van Zoonen, Loughborough University, told us that there was a 
disparity in how UK and continental European countries discussed issues related to data 
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collection. She said that in the UK, debate around collecting data from citizens was often 
defined in terms of a security framework (i.e. counter-terrorism or crime reduction) rather 
than improvements to Government services for the benefit of citizens. In contrast, the 
debate in Europe leans towards the improvement of services that can be derived from 
data.* According to Professor van Zoonen, this meant that the link between data sharing 
and better services was less apparent to UK citizens, who may also become less supportive 
of security-led data requirements once the initial security concern has abated.*° 


24. In the UK this attitude is demonstrated by the way in which the powers taken by the 
Government to address the threats of terrorism have subsequently been characterised as 
government snooping and breaching the privacy of citizens. In summer 2014, a number of 
national newspapers criticised GCHQ’s access to social media data. The Mail Online 
reported that “GCHQ ‘can spy on Facebook and YouTube users and has ability to 
manipulate online polls’, latest Snowden leaks claim”, whilst the BBC reported that GCHQ 
were able to “legally snoop” on users of social media and email systems.°”? Commentators 
compared the activities of GCHQ to those of a “surveillance state”, resulting in GCHQ 
being named the biggest “internet villain” by the Internet Service Providers’ Association.* 


Public trust 


25. We explored the perception that the Government is not trusted to use the personal data 
of citizens responsibly. Dr Mathieu d’Aquin, Open University, told us that the key question 
held by a number of individuals is “What are they going to do with [my data], and how can 
I understand what is going to be done with it in such a way that I can be reassured that the 
interpretation, understanding and use of the data will not go against my interest?” The 
University of Manchester told us that “experimental research in relation to confidentiality 
statements” has shown that the public supports secondary data use “when they are aware of 
the purpose of it”, but EMC, an IT company, told us there was a failure in communicating 
the benefits of big data analysis to the general public.® techUK speculated that the 
Government may be hesitant in talking about data use due to a “fear of media and public 
opinion following several high profile cases of lost data, security breaches and general 


‘mistrust’ of how government uses this type of information”.°! 


26.Emma Carr, Big Brother Watch, highlighted that “generally, people hold the 
Government to a much higher standard when it comes to data protection” than they do 
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private companies.” She explained that “people know that private companies are usually 
using their data to make money” but that “people seem to get extremely upset about data 
being used within the public sector” or if they “see any indication that the Government are 
making money” from personal information.” 


27. A recent example of the Government’s poor communication of data use to the public 
was in relation to care.data.“ Professor van Zoonen speculated that care.data had been 
framed as helping the NHS as an institution rather than helping individual patients.” This 
may have led to confusion amongst participants about the personal benefits that they 
would experience by taking part. There may also have been inadequate communication of 
the rights of individual patients. Ms Carr told us that Big Brother Watch had carried out 
some polls and found that a large percentage (69%) of people felt that they “had not been 
informed of the right to opt out of care.data”.°° The Web Science Trust pointed out that 
the: 


furore surrounding care.data indicates that data subjects are no longer 
content to accept assurances of the benefits of data analysis and sharing in 
the absence of a robust and trusted ethical framework. Whether this is 
because they consider the costs may be potentially too high, or the benefits 
potentially too low, or whether they wish to press the "pause button" while 
the implications of Edward Snowden’s revelations are digested is not clear.°’ 


The Horizon Digital Economy Research Institute suggested that the Government should 
ensure that research involving personal data is overseen by “ethics review panels that 
operate under published guidelines”, as happens in the academic field. 


28. Real buy-in from members of the public for the use of their data is most likely to be 
achieved by delivering well-run services, which meet the expectations of customers. 
There are some excellent examples of administrative services that already exist in the 
UK, which demonstrate exactly what the UK should be aiming for: one shining example 
is paying your road fund license on the DVLA website, an easy-to-use and efficient 
service.” Services such as these provide benefits to both the service provider and 
customer, providing a trusted platform for the exchange of data and service. care.data 
is a clear example where this trusted relationship failed to develop. 


29. Members of the public do not appear to be wholly against the idea of their data being 
used by Government institutions, but support for data usage is highly dependent upon the 
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context within which the data is collected. The Government should have learned from the 
experience with care.data and we recommend that the Government develop a privacy 
impact assessment that should be applied to all policies that collect, retain or process 
personal data. 


Regulation of the industry 


30. Professor Liesbet van Zoonen, Loughborough University, told us that one reason for 
the lack of trust among the public was the “fear” that the citizen “will lose out to big 
business interests”.”” Big Brother Watch, referencing a 2013 poll it had commissioned, 
pointed out that “41% of consumers felt that they were being harmed by companies 
gathering their personal data” and the Information Commissioner’s Office’s (ICO) report, 
Big Data and Data Protection, indicated that “big data is sometimes characterised as a 
power relationship that favours corporations and governments”.’' The report recognised 
the EU Commission’s draft General Data Protection Regulation (GDPR)” as an attempt to 
“shift the balance of power in favour of the individual by giving them more explicit rights 
over the processing of their personal data”, a view supported by the Horizon Digital 
Economy Research Institute, which considered the GDPR would tighten “the legal 
language mandating consent” and establish “a stronger bias against the potential harm of 


profiling than previous data protection policy”.”* 


31. techUK did not see the GDPR as an unmitigated good, citing a 2013 Deloitte report, 
Economic Impact Assessment of the proposed European General Data Protection Regulation, 
that warned that the proposed Regulation could “reduce GDP by €173 billion [...] leading 
to a loss of 2.8 million jobs” across the EU.“ This was because they considered the 
legislation would restrict the “ability of businesses to use direct marketing” and by 
restricting organisations’ ability to effectively assess credit risk, “consumer credit could fall 
by as much as 19%”. The Deloitte report considered that the European Commission 
impact assessment on the proposed Regulation was “limited in its scope” and did not 
“adequately consider the economic impacts of the Proposed Regulation as currently 
proposed”.” 


32. In addition to legal obligations, the ICO has explained its views on how organisations 
should work with personal data. Its report on Big Data and Data Protection has been 
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described as outlining the ways in which the ICO “expects big data organisations to 
behave”.”° On launching the report, Steve Wood, ICO’s Head of Policy Delivery, said that 
“the basic data protection principles already established in UK and EU law are flexible 
enough to cover big data” and indicated that new legislation would not be necessary.” 


33. The UK Computing Research Committee (UKCRC) wrote that consideration of data 
protection legislation “must look carefully at the practical needs of data intensive research” 
whilst attempting to “strike a balance between legitimate regulation” and providing the 
academic research community with the “means of conducting empirical experiments on 
realistic data”.’”* Professor McAuley, Horizon Digital Economy Research Institute, pointed 
out that some small businesses were concerned about how to work with the “ethical” issues 
surrounding social media data, whilst still using the data to inform their business needs.” 
He said this was leading to “tension between innovation and regulation”.*’ The Internet 
Association wrote that it endorses a conversation shift towards a “responsible use 
framework” for data. *! 


34. The Government considered it “essential” to provide for “strong data subject rights to 
protect against abuse of personal data” but emphasised the need to “strike a balance”, 
recognising that a number of data controllers “have a legitimate interest to process data”.* 
The Government's UK Data Capability Strategy, Seizing the data opportunity, stated that 
“working with the Information Economy Council, the government will look at options to 
promote guidance and advice on the rights and responsibilities of data users”.** 


35. We note that a primary concern of the general public is that it is unable to limit the 
misuse of personal data by large organisations, but we recognise the work of the ICO in 
addressing some of these issues. We are attracted to the position of the ICO that big 
data should play by the same rules as every other form of data processing. It is essential 
that organisations operate in a transparent manner, allowing public confidence to 
flourish in light of knowledge about the way that their data is used.** The UK is already 
a leading player on the global stage in using social media data and we are keen for this 
status to be maintained, but only if that can be achieved while ensuring the personal 
privacy of UK citizens. 
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4 Informed consent and ‘terms and 
conditions’ 


36. The issue of how informed consent was obtained from users, for the rights to process 
their personal data, was raised early in the inquiry and was a central issue throughout.® 
Informed consent to participate in research is defined by the Council for International 
Organizations of Medical Sciences, as that given: 


by a competent individual who has received the necessary information; who 
has adequately understood the information; and who, after considering the 
information, has arrived at a decision without having been subjected to 
coercion, undue influence or inducement, or intimidation.*° 


37. As the use of social media data and its financial value continues to grow, it is clear that 
social media platforms potentially have a very important asset at their disposal, but the 
ability of organisations and researchers to use that data is limited by law. In the UK, this 
law is the Data Protection Act 1998, which maintains that consent must be obtained from 
individuals before their data can be used for research purposes.*” 


38. The University of Cambridge told us that 


Signing social media platforms’ terms and conditions does not necessarily 
correlate to informed consent, as research has shown that users sign these 
complicated documents without reading them in order to open their 
accounts.** 


The University of Manchester described the example of an individual using the social 
media platform, Twitter, where “there is a process of consent as part of creating a Twitter 
account” but even then, “it may not be entirely clear to the account holder how their 
Tweets might be used for secondary purposes, including research”. 


39. The call for ethical behaviour was not limited to the users of services. Sureyya Cansoy, 
techUK, reported that an “increasing number of companies” were “concerned about ethics 
questions” and Professor McAuley, Horizon Digital Economy Research Institute, said that 
“many small companies, even large ones, want to be seen to be behaving ethically and are 
getting somewhat annoyed at some of the unethical behaviours of others”.”” Timo Hannay, 
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Digital Science, told us that “we want to be able to abide by any reasonable requests that 
users may make to remove things”.”! 


40. The primary method for obtaining consent on social media platforms and their 
equivalents is by asking users to agree to terms and conditions when they register to use the 
service. Terms and conditions can be defined as “special and general arrangement([s], 
rule[{s], requirements, standards etc. forming integral parts of a contract or agreement”.” 
Dr Kevin Macnish, University of Leeds, commented on the problems in using this process. 


It is widely known that these forms are rarely read in detail or understood. 
The print is small and the eventual use often obscure. Even if signing the 
form could be considered an act of consent, it is often not an act of informed 
consent. Caveat emptor is an unfair response if a large number are signing up 
for the service on a (widely recognized) limited understanding of the future 
use of the information they will provide.” 


41. Professor John Preston, University of East London, told us that “people treat social 
media a bit like they treat the pub”.* He continued: 


They feel that if they go into a pub and have a private conversation, it does 
not belong to the pub; it is their conversation. They interpret Twitter or 
Facebook in the same way—as a place to have a conversation.” 


He thought that “people need to know what they are signing up to”.”° 


42. It could be argued that users are compelled to either accept terms and conditions 
(which they might disagree with) or relinquish access to services like social media 
platforms. While the Internet Association maintains that “companies compete on privacy 
and understand that there are few barriers to switching among providers should 
consumers lose confidence in an online platform or service”; if a Tesco customer wants to 
collect points using the Tesco club card, they have to sign up to Tesco’s terms and 
conditions.”’ Similarly, if a person wants to connect with their friends on Facebook, it is 
necessary to use the Facebook service and sign up to their data use policy.”® 


43. During this inquiry we sought to understand the issues surrounding informed consent, 
its importance in ensuring users understood what they were agreeing to, the manner in 
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which companies communicated that to users, the difficulties in services that are often 
sourced outwith jurisdictional boundaries and how these issue might be addressed. 


Length and complexity 


44. Professor David De Roure, Economic and Social Research Council, highlighted that a 
primary problem with terms and conditions is that “few people read [what] they are 
signing up to”.”? Dr Mark Elliot, University of Manchester, speculated that users just want 
to “get to the good stuff’, and Carl Miller, Demos, told us that there was “a wonderful 
statistic that if you read all the terms and conditions on the internet you would spend a 
month every year on it’.'°° Mr Miller concluded that “there has been little incentive for 
many platform providers to do anything other than issue 100-page documents, because 
everyone clicks “Yes”, and, to change the status quo, “pressure” would have to be applied 
from “outside the company”.'®' The lack of attention people pay to the terms and 
conditions was emphasised when, in 2010, GameStation temporarily added a clause to its 
terms and conditions that stated the company now owned the user’s “immortal soul”. 
Given the widespread acceptance of the clause, GameStation concluded that 88% of 
signatories did not fully read the terms and conditions documents.'®’ 


45. To compound the problem of length, terms and conditions contracts have been found 
to employ unnecessarily complex language. Dr Elliot identified the complex language used 
in terms and conditions as a barrier to reading them, “even if you made your terms and 
conditions only 500 words, I still do not think people are going to read them, partly 
because of the language they are written in”.'* Sir Nigel Shadbolt, Web Science Trust, 
labelled the contracts “totally impenetrable” and “more complex than Shakespeare”, 
necessitating a reading age of “19.2 years to get through”.'® Dr Kevin Macnish, University 
of Leeds, commented on the fact that these terms and conditions were often accepted by 
children and thus “if we are going to make the terms and conditions understandable to 
schoolchildren, that gives us a level of English and understanding that I think is sensible to 
be aiming at”.'°° 


46. We wrote to a number of social media platforms (or their parent companies) to ask 
questions about their commitment to informed consent and their use of terms and 
conditions. YAHOO! wrote that it provided information to users via dedicated privacy 
webpages;'”’ LinkedIn aimed to “provide clarity” to members about how the company used 
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their information in a similar manner,'® claiming it had earned the trust of users by 
respecting members’ “privacy and properly protecting their personal information”.'” 
Facebook explained that it had “introduced a simplified Data Use Policy,” which offered “a 
slimmed-down, jargon-free guide to the way that Facebook manages data” ''° (see image 
below).!!! 


Data Use Policy 


More resources 


However, with the exception of a comment by Twitter, stating that “during the registration 
process users must give their consent to our Terms of Service, Privacy Policy and Cookie 
Use”'” and a brief Facebook reference to Terms,'!’ there was little comment on how the 
terms and conditions documents (and their use to indicate consent for data use) were 
utilised by those organisations. 


47. Steve Wood, Information Commissioner’s Office, told us that often terms and 
conditions documents “will come from a culture within an organisation where lawyers are 
heavily involved. [...] It comes from the point of view that you need to cover 
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everything”.''* He speculated that “there may be some organisations that sometimes are 


PANES 


able to exploit the opacity of the notice”. 
48. The Minister agreed that terms and conditions were too complex, saying that 


the idea that people read 150 pages of terms and conditions is simply 
laughable; it is a complete nonsense. We all know what lawyers are like— 
every t is crossed and every i is dotted. But the consumer needs something 
that is easy to understand and straightforward.''® 


He reported that “the Information Commissioner’s Office is going to be the conduit for 
this kind of work, with the industry coming forward with proposals to simplify terms and 


conditions online”.!!’ 


49. We are not convinced that users of online services (such as social media platforms) 
are able to provide informed consent based simply on the provision of terms and 
conditions documents. We doubt that most people who agree to terms and conditions 
understand the access rights of third parties to their personal data. The terms and 
conditions currently favoured by many organisations are lengthy and filled with 
jargon. The opaque, literary style of such contracts renders them unsuitable for 
conveying an organisation’s intent for processing personal data to users. These 
documents are drafted for use in American court rooms, and no reasonable person can 
be expected to understand a document designed for such a niche use. We commend the 
Information Commissioner’s Office for investigating ways to simplify the contents of 
terms and conditions contracts and ask the Government, in its response to this report, to 
detail how the public at large will be involved in arriving at more robust mechanisms for 
achieving truly informed consent from users of online services. Clear communication with 
the public has been achieved in the past, for example in the use of graphic health 
warnings on cigarette packets. Effective communication with the public can be achieved 
again. 


Communicating the intentions for data use 


50. When questioned about user expectations on the use of their data by social media 
platforms, witnesses did not believe that terms and conditions documents allowed for 
informed consent to be provided for the use of that data.''* Carl Miller, Demos, held up 
Twitter as an example of better practice in this regard; he told us that Twitter was 
“unapologetically open” and the “clear statements” it used early on in the application 
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process were “helpful in informing people’s reasonable expectation about what can happen 
» 119 


and what is possible with their [data]”. 
51. The Information Commissioner’s Office’s report, Big Data and Data Protection, 
pointed out that the Data Protection Act 1998 requires an organisation to tell people: 


what it is going to do with their data when it collects it. It should state the 
identity of the organisation collecting the data, the purposes for which they 
intend to process it and any other information that needs to be given to 


enable the processing to be fair.'”° 


Despite this, witnesses to this inquiry considered that the communication of how collected 
data may be used was rarely clear and helpful: the University of Leeds even suggested that 
the Government should consider “introducing legislation which requires social media 
platforms to provide clearer information about what happens to users’ data than currently 


exists *** 


52. Social media platforms outlined their policies about transparency. For example, 
LinkedIn told us that its transparency reports were intended: 


to provide [their] members and the general public with information about 
the numbers and types of requests for member data that [LinkedIn] receive 
from governments around the world, as well as the number of [its] 
responses.” 


Similarly, Twitter told us that it “publishes a bi-annual Transparency Report to inform our 
users about key elements of disclosures”.!?? Facebook said that it had taken “extensive 
steps” to put “transparency and usability at the heart of our work on privacy, data use and 
consent” and outlined a number of methods it used to promote transparency including 
“Ad Preferences”, a feature that is currently available to users in the US, which is “a way for 
people to learn why they are seeing a particular ad, and control how we use information 
about them, both on and off Facebook, to decide which ads to show them”.'”4 


53. The Government was supportive of efforts to improve the transparency of data use, 
stating that it “expects businesses to be transparent and open about their use of consumer 
data. This transparency is essential if consumers are to feel safe and empowered in an 


increasingly digital marketplace”.'” 
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54. We consider it vital that companies effectively communicate how they intend to use 
the data of individuals and that if terms and conditions themselves cannot be made 
easier to understand, then the destination of data should be explained separately. We 
recommend that the Government drives the development of a set of information 
standards that companies can sign up to, committing themselves to explain to customers 
their plans to use personal data, in clear, concise and simple terms. In its response, the 
Government should outline who will be responsible for this policy and how it plans to 
assess the clarity with which companies communicate to customers. Whilst we support the 
Government in encouraging others to meet high standards, we expect it to lead by 
example. The Government cannot expect to dictate to others, when its own services, like 
care.data, have been found to be less than adequate. We request that the Government 
outline how it plans to audit its own services and what actions it plans to take on services 
that do not meet a satisfactory level of communication with users about the use of their 
personal data. 


Requiring versus requesting information 


55. When users sign up to access services, organisations often require that users provide 
personal information, usually without any accompanying explanation to justify such 
requirements. One Committee member observed that a flashlight (torch on mobile phone) 
application required him to allow the application to access his location before being able to 
download the flashlight service.'”° Professor Derek McAuley, Horizon Digital Economy 
Research Institute, agreed that this was an example of an unjustified request and suspected 
that the information was not needed for the application to do its job but the company was 
“obviously after it for some other reason”.'”” He indicated that companies were being 
“duplicitous in their behaviour” as they were “presenting one experience, yet asking for a 
lot more information”.'** In an article published by the Huffington Post entitled “The 
Insidiousness of Facebook Messenger's Mobile App Terms of Service’, marketing expert 
Sam Fiorella wrote: 


Facebook's Messenger App, which boasts more than 200,000 million monthly 
users, requires you to allow access to an alarming amount of personal data 
and, even more startling, direct control over your mobile device. I'm willing 
to bet that few, if any, of those using Messenger on Android devices, for 
example, fully considered the permissions they were accepting when using 
the app.'”” 


Some of the clauses in the contract highlighted in his article allow the app to: 
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e Record audio with microphone. This permission allows the app to record audio at 
any time without your confirmation. 


e Read personal profile information stored on your device, such as your name and 
contact information. This means the app can identify you and may send your 
profile information to others. 


e Take pictures and videos with the camera. This permission allows the app to use 
the camera at any time without your confirmation.'*° 


To clarify why this array of permission requests were made by the Facebook Messenger 
application, Facebook published an explanation page on its website, stating that: 


Almost all apps need certain permissions to run on Android, and we use 
these permissions to help enable features in the app and create a better 
experience for you. Keep in mind that Android controls the way the 
permissions are named, and the way they're named doesn’t necessarily reflect 
how the Messenger app and other apps use them."*! 


It listed a number of examples for permissions justifications, which included: 


Take pictures and videos: This permission allows you to take photos and 
videos within the Messenger app to easily send to your friends and other 


contacts.!*? 


56. We were informed that the Information Economy Council, a body co-chaired by the 
Government and the techUK president that “brings together Government, industry and 
academia to drive the information economy in the UK”, was “creating a set of data 
principles to address how we can reassure consumers in this new digital age without losing 
the opportunity to get the most out of technological innovations”.'** One working group, 
led by Professor McAuley, was working on how companies process personal information 
something, he indicated, that “industries are crying out for”.!* 


57. There is a qualitative difference between requesting personal information when 
registering for a service and requiring that same information. Companies should have a 
greater responsibility to explain their need to require (and retain) personal information 
than when they simply request it. We welcome the work of the Information Economy 
Council and recommend that the Government use that work to provide companies with 
guidelines to aid organisations in deciding what information they should require and 


130 Sam Fiorella, ‘The Insidiousness of Facebook Messenger's Mobile App Terms of Service’, The Huffington Post, 
huffingtonpost.com. Accessed 24 October 2014. 


31 Facebook, ‘Why is the Messenger app requesting permission to access features on my Android phone or tablet?’, en- 
gb.facebook.com. Accessed 24 October 2014. 


132 Facebook, ‘Why is the Messenger app requesting permission to access features on my Android phone or tablet?’, en- 
gb.facebook.com. Accessed 24 October 2014. 


33° Q5 [Sureyya Cansoy] 
34 Q89 [Professor McAuley] 


Responsible Use of Data 27 


how that, and the subsequent use of the data, might be managed responsibly. We expect 
the Government, in its response to this inquiry, to outline a draft timetable for when 
businesses might expect to receive Government endorsed guidelines in this area. 


Companies based in foreign jurisdictions 


58. Several of the larger social media platforms, like Facebook and LinkedIn, are 
headquartered in the USA, outside of the jurisdiction of UK and the EU and thus subject to 
different pressures when producing terms and conditions.'*° 


59. Steve Wood, Information Commissioner’s Office, noted that data protection issues 
possess a “global dimension”.'** The global nature of the internet can blur the traditional 
physical boundaries between legal jurisdictions and cause confusion when considering 
regulation. Carl Miller, Demos, stated that “legal jurisdiction” was coming up against 
“rapid technological change and globalised information architectures”.'*’ This issue was 
aptly demonstrated by a recent dispute between Microsoft and the US courts. The US 
Magistrate Judge James Francis in New York said “internet service providers such as 
Microsoft Corp or Google Inc, cannot refuse to turn over customer information and emails 
stored in other countries when issued a valid search warrant from U.S. law enforcement 
agencies”.'** The judge ordered Microsoft to hand over the contents of email stored on a 
server in Ireland, despite Microsoft having previously reassured global customers that their 
“data should not be searchable by U.S. authorities and said it would fight such requests”.'* 


60. Dr Mathieu d’Aquin told us that “the organisations that will have the best ability to 
misuse personal data are certainly private companies, especially large-scale private 
companies not located in the UK”.'” It has been revealed, for example, that Facebook had 
been manipulating the information presented to users in an experiment to assess user’s 
emotional reactions to being presented with posts containing positive or negative 
sentiments.'*! This experiment attracted controversy as it was not clear that Facebook’s 
users had consented to take part in an experiment which “manipulated” people’s thoughts 
and emotions.'* Dr Mark Elliot, University of Manchester, said that Facebook’s 
experiment was a “clear example of misuse” of data and that a “boundary [had been] 
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crossed” by Facebook.'*® However, Facebook's Data Use Policy indicates that users’ data 
may be shared if Facebook has: 


e received your permission; 
e given you notice, such as by telling you about it in this policy; or 


e removed your name and any other personally identifying information 
from it.'" 


61. According to the Information Commissioner’s Office, the proposal for the EU General 
Data Protection Regulation (GDPR) would “extend the scope of data protection to apply to 
data controllers outside the EU that are processing the personal data of people in the EU, if 
the processing relates to offering them goods or services or monitoring their behaviour 
(article 3)”.' We understand that negotiations about the contents of the GDPR are 
ongoing and that, in June 2014, the Council agreed a partial, general approach on limited 
elements of the proposal, including territorial scope and Article 3. 


62. The United States has also been wrestling with where the balance should lie in 
facilitating new data based business and protecting privacy. In response to a request for 
comment concerning big data and the Consumer Privacy Bill of Rights, the Internet 
Association, a trade association representing internet companies such as Yahoo!, wrote: 


We are concerned that any legislative proposal to address “big data” may 
create a “precautionary principle problem” that hinders the advancement of 
technologies and innovative services before they even develop.'*° 


The Internet Association considered that internet service users “trust” member companies 
(of the Internet Association) to “use their data responsibly” and that it should be sufficient 
for member companies to “voluntarily abide by self-regulatory codes such as the 
Interactive Advertising Bureau (IAB)’s Self-Regulatory Principles, Digital Advertising 
Alliance’s (DAA) Self-Regulatory Program, and the Network Advertising Initiative (NAI) 
Code of Conduct, which are subject to enforcement by the FTC [Federal Trade 
Commission]”.!4” 
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63. We are also aware of the “US-EU safe harbour” [sic] agreement, which operates as an 
“interoperability mechanism”, outlining “internationally accepted data protection 
principles”.'** The website for the agreement says that: 


The European Commission’s Directive on Data Protection went into effect in 
October of 1998, and would prohibit the transfer of personal data to non- 
European Union countries that do not meet the European Union (EU) 
“adequacy” standard for privacy protection. While the United States and the 
EU share the goal of enhancing privacy protection for their citizens, the 
United States takes a different approach to privacy from that taken by the 
EU. In order to bridge these differences in approach and provide a 
streamlined means for U.S. organizations to comply with the Directive, the 
U.S. Department of Commerce in consultation with the European 
Commission developed a "safe harbor" framework and this website to 
provide the information an organization would need to evaluate—and then 
join—the U.S.-EU Safe Harbor program.'”” 


The Internet Association thought that the US-EU Safe Harbour agreement must “remain 
strong for Internet businesses”.'”° 


64. In our report Malware and cybercrime we noted that the UK Government has a 
responsibility to protect UK citizens online, in an extension of the protections that are 
conferred on citizens in the offline world: a responsibility the Government accepted in 
its written evidence to this inquiry. As the majority of popular social media platforms 
are head-quartered in the US, we find it essential that the Government revisit all 
international agreements, including the US-EU safe harbour, to ensure that they protect 
UK citizens. We ask that, in its response to us, the Government outlines the international 
agreements that currently exist where it has ensured that the data of UK citizens will be 
guarded as well as if it were within UK legal jurisdictions. 


A Kitemark 


65. One solution to the lack of international governmental agreements on data protection, 
discussed during our inquiry, was the use of a ‘kitemark’ on the contents of terms and 
conditions documents.'*! Professor Derek McAuley, Horizon Digital Economy Research 
Institute, stated that this would provide users with confidence that any particular set of 
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terms and conditions met a “higher standard”.'* He thought that as a result, people might 


be able to “reflect on what they do and do not use”.'*° 


66. According to Carl Miller, Demos, the potential benefits of a kitemark system may 
include incentivising companies “to put in plain English in a few pages what the 
implications of people putting their data on those platforms really is” and an independent 
and authoritative authentication of “whether or not the terms and conditions were 
clear" 


67. One initiative that already exists to look specifically at the clarity of text on the internet 
is the Plain English Campaign, a citizen-led campaign launched in 1990. The organisation 
awards the “crystal mark”, which is a “seal of approval for the clarity of a document” and 
currently used internationally, applying to 21,000 documents in the UK, USA, Australia, 
Denmark, New Zealand and South Africa.'** The Campaign states that it is “the only 


internationally-recognised mark of its kind”.'*° 


68. The Minister was attracted to the introduction of a kitemark. He told us that the 
Information Economy Council during its work on terms and conditions would be 
engaging industry to come up with proposals for a kitemark, something he considered 
would be welcomed by industry.’*” 


69. We consider an internationally recognised kitemark to be the first step in ensuring 
the responsible use of the data of UK citizens by both social media platforms and other 
organisations. We are pleased that the Government seems to be working toward this end 
and recommend that, in its response to this report, it provides a draft timetable for when 
proposals for a kitemark can be expected. 
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5 The online citizen 


70. We have become increasingly concerned that the benefits of data sharing that might 
be achieved, in both governance and economic growth, are at risk because the public 
distrusts the technology and some organisations that provide online services. The 
Government has been working to provide an identity assurance scheme that would give 
those in receipt of Government benefits an online presence so that individual citizens 
can manage their personal details in their transactions with the State. This scheme 
could be the basis for all UK citizens to have a protected, online identity that could be 
used, if the Government was willing, for both governance and online commercial 
activities. 


71. We have also seen that the Government’s approach to online safety has been 
piecemeal and conducted tactically to meet immediate needs with little evidence of any 
horizon scanning. The Government should be considering now how it wants UK 
citizens to engage with both governmental and commercial online services. It should be 
seeking to provide a platform for UK citizens to engage those services without 
unnecessarily risking their personal data and enabling its citizens to make informed 
choices about what data to share, with whom and for what purpose. Future prosperity 
will be impacted by how well information flows between government, citizens and 
business. The Government needs to begin work so that all of its citizens have firm and 
secure foundations from which to build their online functionality. 
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Conclusions and recommendations 


Skills and infrastructure 


1. | We have seen repeatedly that the UK is not producing the technically proficient 
people required to support modern businesses. In our report, Educating Tomorrow's 
Engineers, we concluded that, despite the Government's recognition of the 
importance of engineering skills, there is a persistent gap in the numbers of engineers 
required to achieve economic growth. Data science is yet another skills area that 
urgently needs to be addressed if the UK is to be able to build an economy that can 
compete on the global stage. It is essential that the Government ensures that data 
science skills are promoted in educational institutions and within organisations that 
are able to provide data skills development. (Paragraph 21) 


2. | We repeat our recommendation, from our report, Educating Tomorrow’s Engineers, 
that learned societies, professional institutions and trade bodies put an obligation on 
their members to systematically engage in promoting data science skills through a 
structured programme of educational engagement. We request that the Government 
detail to us, in its response to this report, how it intends to ensure that organisations 
take part in a national effort to promote data science skills within the current and 
future UK workforce. (Paragraph 22) 


Government use of data 


3. Real buy-in from members of the public for the use of their data is most likely to be 
achieved by delivering well-run services, which meet the expectations of customers. 
There are some excellent examples of administrative services that already exist in the 
UK, which demonstrate exactly what the UK should be aiming for: one shining 
example is paying your road fund license on the DVLA website, an easy-to-use and 
efficient service. Services such as these provide benefits to both the service provider 
and customer, providing a trusted platform for the exchange of data and service. 
care.data is a clear example where this trusted relationship failed to develop. 
(Paragraph 28) 


4. | Members of the public do not appear to be wholly against the idea of their data being 
used by Government institutions, but support for data usage is highly dependent 
upon the context within which the data is collected. The Government should have 
learned from the experience with care.data and we recommend that the Government 
develop a privacy impact assessment that should be applied to all policies that collect, 
retain or process personal data. (Paragraph 29) 


Better information for users of online services 


5. We note that a primary concern of the general public is that it is unable to limit the 
misuse of personal data by large organisations, but we recognise the work of the ICO 
in addressing some of these issues. We are attracted to the position of the ICO that 
big data should play by the same rules as every other form of data processing. It is 
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essential that organisations operate in a transparent manner, allowing public 
confidence to flourish in light of knowledge about the way that their data is used. The 
UK is already a leading player on the global stage in using social media data and we 
are keen for this status to be maintained, but only if that can be achieved while 
ensuring the personal privacy of UK citizens. (Paragraph 35) 


We are not convinced that users of online services (such as social media platforms) 
are able to provide informed consent based simply on the provision of terms and 
conditions documents. We doubt that most people who agree to terms and 
conditions understand the access rights of third parties to their personal data. The 
terms and conditions currently favoured by many organisations are lengthy and 
filled with jargon. The opaque, literary style of such contracts renders them 
unsuitable for conveying an organisation’s intent for processing personal data to 
users. These documents are drafted for use in American court rooms, and no 
reasonable person can be expected to understand a document designed for such a 
niche use. We commend the Information Commissioner’s Office for investigating 
ways to simplify the contents of terms and conditions contracts and ask the 
Government, in its response to this report, to detail how the public at large will be 
involved in arriving at more robust mechanisms for achieving truly informed 
consent from users of online services. Clear communication with the public has been 
achieved in the past, for example in the use of graphic health warnings on cigarette 
packets. Effective communication with the public can be achieved again. 
(Paragraph 49) 


We consider it vital that companies effectively communicate how they intend to use 
the data of individuals and that if terms and conditions themselves cannot be made 
easier to understand, then the destination of data should be explained separately. We 
recommend that the Government drives the development of a set of information 
standards that companies can sign up to, committing themselves to explain to 
customers their plans to use personal data, in clear, concise and simple terms. In its 
response, the Government should outline who will be responsible for this policy and 
how it plans to assess the clarity with which companies communicate to customers. 
Whilst we support the Government in encouraging others to meet high standards, 
we expect it to lead by example. The Government cannot expect to dictate to others, 
when its own services, like care.data, have been found to be less than adequate. We 
request that the Government outline how it plans to audit its own services and what 
actions it plans to take on services that do not meet a satisfactory level of 
communication with users about the use of their personal data. (Paragraph 54) 


Regulating the use of personal data 


There is a qualitative difference between requesting personal information when 
registering for a service and requiring that same information. Companies should 
have a greater responsibility to explain their need to require (and retain) personal 
information than when they simply request it. We welcome the work of the 
Information Economy Council and recommend that the Government use that work 
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10. 


11. 


12. 


to provide companies with guidelines to aid organisations in deciding what 
information they should require and how that, and the subsequent use of the data, 
might be managed responsibly. We expect the Government, in its response to this 
inquiry, to outline a draft timetable for when businesses might expect to receive 
Government endorsed guidelines in this area. (Paragraph 57) 


In our report Malware and cybercrime we noted that the UK Government has a 
responsibility to protect UK citizens online, in an extension of the protections that 
are conferred on citizens in the offline world: a responsibility the Government 
accepted in its written evidence to this inquiry. As the majority of popular social 
media platforms are head-quartered in the US, we find it essential that the 
Government revisit all international agreements, including the US-EU safe harbour, 
to ensure that they protect UK citizens. We ask that, in its response to us, the 
Government outlines the international agreements that currently exist where it has 
ensured that the data of UK citizens will be guarded as well as if it were within UK 
legal jurisdictions. (Paragraph 64) 


We consider an internationally recognised kitemark to be the first step in ensuring 
the responsible use of the data of UK citizens by both social media platforms and 
other organisations. We are pleased that the Government seems to be working 
toward this end and recommend that, in its response to this report, it provides a draft 
timetable for when proposals for a kitemark can be expected. (Paragraph 69) 


We have become increasingly concerned that the benefits of data sharing that might 
be achieved, in both governance and economic growth, are at risk because the public 
distrusts the technology and some organisations that provide online services. The 
Government has been working to provide an identity assurance scheme that would 
give those in receipt of Government benefits an online presence so that individual 
citizens can manage their personal details in their transactions with the State. This 
scheme could be the basis for all UK citizens to have a protected, online identity that 
could be used, if the Government was willing, for both governance and online 
commercial activities. (Paragraph 70) 


Protecting the interests UK citizens online 


We have also seen that the Government’s approach to online safety has been 
piecemeal and conducted tactically to meet immediate needs with little evidence of 
any horizon scanning. The Government should be considering now how it wants UK 
citizens to engage with both governmental and commercial online services. It should 
be seeking to provide a platform for UK citizens to engage those services without 
unnecessarily risking their personal data and enabling its citizens to make informed 
choices about what data to share, with whom and for what purpose. Future 
prosperity will be impacted by how well information flows between government, 
citizens and business. The Government needs to begin work so that all of its citizens 
have firm and secure foundations from which to build their online functionality. 
(Paragraph 71) 
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